Phone Number +1-202-802-9399 (US)

Unknown, unmanaged, and unprotected privileged accounts violate compliance mandates

To pass your next compliance audit you must demonstrate effective privilege management.

The Challenge | Icon


Compliance audits are time consuming and stressful but you can’t avoid them.

The Danger | Icon


Failure to comply can be risky, expensive, and embarrassing.

The Solution | Icon


Privilege management helps you meet requirements and prove compliance.

Every major security framework and regulation demands proper password protection.

New compliance standards are emerging and audits are becoming more frequent and intense. Compliance bodies are now mandating a higher level of responsibility for security leaders, executives, and Boards of Directors

Virtually every organization that handles data must abide by security compliance requirements. If you handle any type of personal, financial or health information, you must be able to demonstrate compliance or face significant financial penalties and public embarrassment. If you are seeking government contracts you must receive a stamp of approval from security auditors to be successful.

Compliance for compliance sake is not the goal. The real goal is effective security against rising cyber threats. Even if you are not required by law to comply, you can use compliance regulations as a framework for security best practices. Effective privilege management helps you pass compliance audits and reduces your cyber risk.

Before auditors come knocking, get smart about compliance

How can you prepare for a compliance audit? To see where you stand, first run an internal audit to see how you map to regulatory requirements.

As part of the audit, you must be able to identify all the privileged accounts in your organization and explain how controls over privileges work to safeguard protected data. Many organizations have hundreds or thousands of privileged accounts. That list includes service accounts that are not associated with individuals and may easily slip through the cracks. It includes privileged accounts in operating systems and platforms beyond Windows, such as root and other accounts in Unix/Linux.

Why would 70% of organizations fail a cyber security compliance audit?

Many organizations don’t have effective password management practices in place. Even if you wrote up a password policy and rolled out compliance training, without correct controls people will fall back on bad habits. In a compliance review, auditors will find security gaps that include missing passwords, duplicate passwords, or password sharing.

To pass an audit you must implement and enforce granular limitations on access privileges for systems and data. You must monitor and report on ongoing access for internal users and third parties. Password protection and privileged access policies should be consistent, regardless of platform.

A one-time clean up before an audit is not the solution. Increasingly, audit bodies are looking for demonstrable proof that cyber security policies can be maintained on an ongoing basis. Auditors are looking for systematic, automated security controls. You may not get a second chance to correct the mistakes.

Try Secret Server for 30 days

  • Free enterprise-level support
  • Choose your preferred deployment option
  • The easiest PAM Solution you’ll ever use
Choose your deployment option:
By completing this form you are opting into emails from Thycotic. You can unsubscribe at any time.

Free Tool:

Auditing privileged accounts can be painfully tedious and results are often incomplete.
Run Thycotic’s free Privilege Discovery Tool and get a comprehensive summary report highlighting your risks.


Why will 70% fail audits? Find out in the Global State of PAM Compliance


Compliance and Privileged Account Management – a Perfect Match

See how your security practices map to compliance requirements

Which compliance regulations do you need to follow? How can you satisfy auditors? Some regulations are highly prescriptive while others give you broad guidelines but leave the detailed decisions up to you. See how your privilege management practices stack up to the latest compliance requirements. Make sure you know the deadlines so you can be ready when the auditors arrive.

Any organization dealing with EU citizens’ Personally Identifiable Information is obligated to meet standards for effective data protection, adequate security measures, and privacy by design to comply with EU GDPR.

Under the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) plan, energy and utility companies must ensure strict access control in order to protect assets from the threat of a cyber attack.

CIS Controls
The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls) is a set of security best practices designed to prevent the most common and significant cyber threats, including password protection.

One of the strictest cyber security regulations at a federal or state level, NYCRR applies to New York insurance companies, banks, and other regulated financial services institutions, including agencies and branches of non-US banks licensed in the state of New York.

Any organization that creates, receives, maintains, or transmits electronic protected health information (ePHI) in the US must meet HIPAA requirements for access control and data sharing.

Sarbanes-Oxley (SOX) is designed to reduce corporate fraud by requiring an increase in the strength and granularity of security controls for financial auditing and reporting.

PCI DSS provides organizations that accept, store or transmit credit card data with guidelines for privilege management and a framework to protect cardholder data.

UK Cyber Essentials
Contractors in the UK that handle sensitive or personal information must receive Cyber Essentials Certification to demonstrate understanding and enforcement of privilege management.

The National Institute of Standards and Technology (NIST) outlines steps federal agencies and government contractors must take to comply with privilege management in FISMA in NIST SP 800-53.

The National Electronic Security Authority (NESA) in the United Arab Emirates requires government entities and businesses in critical sectors closely control and protect privileged accounts.

The refreshed New Zealand Cyber Security Strategy comes with an Action Plan and a National Plan to address cybercrime, which is added to the original four key principles. It replaces the New Zealand Cyber Security Strategy from 2011.